Host name node01 does not match the certificcate subject provided by the peer (CN=instance)

[dyhyao6]

my es server tls is enabled. this is my catalog/es.properties below

connector.name=elasticsearch elasticsearch.host=node01 elasticsearch.port=9200 elasticsearch.tls.enabled=true elasticsearch.tls.verify-hostnames=false elasticsearch.tls.keystore-path=/opt/zfbdp/elasticsearch/config/elastic-certificates.p12

elasticsearch.tls.truststore-path=/opt/zfbdp/elasticsearch/config/elastic-certificates.p12

elasticsearch.tls.keystore-password= elasticsearch.tls.truststore-password= elasticsearch.default-schema-name=default

after start server ./launcher run , it occures errors:

2021-02-01T20:46:28.740+0800 ERROR NodeRefresher io.trino.plugin.elasticsearch.client.ElasticsearchClient Error refreshing nodes io.trino.spi.TrinoException: Host name 'node01' does not match the certificate subject provided by the peer (CN=instance) at io.trino.plugin.elasticsearch.client.ElasticsearchClient.doRequest(ElasticsearchClient.java:795) at io.trino.plugin.elasticsearch.client.ElasticsearchClient.fetchNodes(ElasticsearchClient.java:380) at io.trino.plugin.elasticsearch.client.ElasticsearchClient.refreshNodes(ElasticsearchClient.java:185) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'node01' does not match the certificate subject provided by the peer (CN=instance) at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:208) at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188) at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:368) at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)

@joshk @electrum @andykram why?

[Yann-J]

Hello! Did you figure this out?

I'm facing the same problem...

I have the impression that it's no longer supported to ignore host name verification...

[allanshimako]

Hello,

I had the same problem and I made it work setting elasticsearch.tls.verify-hostnames to true.

I'm not java developer but I think it comes from this line of code. I think it should check for false but it doesn't: https://github.com/trinodb/trino/blob/699c0ad03a5721fa34a5e0301e6ba99976325dd8/plugin/trino-elasticsearch/src/main/java/io/trino/plugin/elasticsearch/client/ElasticsearchClient.java#L241

Any thoughts ?

[ksajjan]

I had the same issue. I resolved it with below property

elasticsearch.ignore-publish-address=true

The complete config:

connector.name=elasticsearch
elasticsearch.host=elastichost.com
elasticsearch.port=9200
elasticsearch.security=PASSWORD
elasticsearch.auth.user=elastic_user
elasticsearch.auth.password=elastic_user_password
elasticsearch.default-schema-name=default
elasticsearch.ignore-publish-address=true
elasticsearch.tls.enabled=true
elasticsearch.tls.truststore-path=/home/ubuntu/ca.crt